Self-Monitoring Universal Scaling Controller for Software Network Functions

ABSTRACT

A method for self-monitored universal scaling of software network functions involves receiving, at a switch of a network, one or more batches of data units. The network further includes one or more network function (NF) instances of an NF service, and a scaling controller. The switch transmits first data units to an NF instance of the NF service during a first time period. A first distribution associated with the NF instance is updated using the first transmitted data units. Upon determining that the updated distribution has changed such that a first measure of the first distribution is outside of a first confidence interval threshold, the first distribution is reinitialized. The switch transmits second data units to the NF instance during a second time period. The reinitialized first distribution is updated using the second transmitted data units to produce a second distribution associated with the NF instance.

RELATED APPLICATION

This application relates to U.S. patent application Ser. No. 16/353,062, filed Mar. 14, 2019, all of which is incorporated by reference herein in its entirety for all purposes.

BACKGROUND

Software network functions (NFs) are software applications that process packets from a network traffic stream. Examples of NF services include network intrusion detection systems (IDS), protocol or WAN optimizers, firewalls, Network Address Translators (NATs), and so forth.

Packets of the network stream are processed by one or more NF instances of an NF service. For example, if traffic is processed by both a firewall and a load balancer, there may be three firewall instances and two load balancer instances. Each NF instance is allocated some amount of resources (primarily CPU cores and bytes of memory). Given a fixed resource allocation, an NF instance can process a limited number of packets per second without introducing latency or dropping an unacceptable number of packets. If the input traffic rate exceeds this rate, an NF is said to be in an overload state. That is, when an NF instance cannot or will not (e.g., due to a policy or licensing decision) process packets at the rate at which it receives the packets, it is in an overload state. In contrast, when an NF instance receives packets at a rate that is significantly less than the rate at which it can process packets, it is in an underload state. When an NF is in an overload state, network traffic latency may be undesirably increased and/or packets of the network traffic stream may be dropped. To mitigate such potentially unacceptable effects, multiple instances of the NF are needed.

The problem of scaling NF instances in a network arises in the context of many scalable software services, e.g., web services. A typical approach in many such contexts is to monitor a CPU load of a processor implementing an NF instance. If the CPU load of that processor exceeds a pre-defined threshold for a given duration, an additional NF instance is provisioned (e.g., installed and/or running as software, as dedicated hardware, or otherwise implemented). However, some NFs implement a polling routine that checks for new network data from the network traffic stream at a high frequency. Because of the high-frequency polling rate, the CPU running that NF will indicate a utilization of 100%. Thus, CPU load may not always be relied upon as an indicator of NF overload or underload.

SUMMARY

In some embodiments, a method involves receiving one or more batches of data units at a switch of a network. The network further includes one or more network function (NF) instances of an NF service, and a scaling controller. First data units of the one or more batches of data units are transmitted from the switch to an NF instance of the one or more NF instances. A first distribution associated with the NF instance is updated using the first plurality of data units. The first distribution corresponds to how many data units of the first plurality of data units were transmitted from the switch to the NF instance during a first time period. It is determined whether the updated first distribution has changed such that a first measure of the first distribution is outside of a first confidence interval threshold. Upon determining that the first distribution has changed, the first distribution is reinitialized. Second data units of the one or more batches of data units are transmitted from the switch to the NF instance during a second time period. Using the second data units, the reinitialized first distribution is updated to produce a second distribution associated with the NF instance.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A illustrates an example of a chain of software network functions of a network receiving a network traffic stream at a first rate, in accordance with some embodiments.

FIG. 1B illustrates the chain of software network functions receiving a network traffic stream at a second rate, in accordance with some embodiments.

FIGS. 2-3 illustrate a network traffic stream traversing an example network architecture for universal scaling of software network functions, in accordance with some embodiments.

FIG. 4 illustrates details of an architecture with a universal scaling controller for software network functions, in accordance with some embodiments.

FIGS. 5-6 illustrate portions of a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 7A is a table of network parameters determined by, or used for, a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 7B is a table of network state variables determined by, or used for, a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 7C is a table of configurable parameters of a method for universal scaling of software network functions, in accordance with some embodiments.

FIGS. 8-9 illustrate portions of a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 10 illustrates a queue occupancy calculation, in accordance with some embodiments.

FIGS. 11-12 illustrate portions of a method for universal scaling of software network functions, in accordance with some embodiments.

FIGS. 13A-B illustrate a relationship between distributions used by a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 14 illustrates an example of a chain of software network functions of a network and associated distributions used by the method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 15 includes simplified plots of data associated with an instance of a software network function during a state transition, in accordance with some embodiments.

FIG. 16A includes simplified plots detailing operation of a portion of a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 16B includes a table of configurable parameters determined by, or used for, a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 17A includes simplified plots detailing operation of a portion of a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 17B includes a table of configurable parameters determined by, or used for, a method for universal scaling of software network functions, in accordance with some embodiments.

FIGS. 18-20C illustrate portions of a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 21 includes simplified plots of data associated with an instance of a software network function during a state transition, in accordance with some embodiments.

FIGS. 22-23 illustrate portions of a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 24 is a table of configurable parameters determined by, or used for, a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 25 illustrates a portion of a method for universal scaling of software network functions, in accordance with some embodiments.

FIG. 26 illustrates an example compute node of a network with a universal scaling controller for software network functions, in accordance with some embodiments.

DETAILED DESCRIPTION

Embodiments of systems and methods for scaling software network functions (NFs) using a universal scaling controller (USC, or “scaling controller”) are described herein. The USC addresses the problem of determining an optimal number of NF instances of an NF service to run within a network given an incoming packet rate or estimated future packet rate. An optimal number of NF instances ensures that the NF service does not introduce additional latency or drop more packets than expected, while also not wasting system resources by provisioning superfluous NF instances.

In accordance with some embodiments, the USC generally i) estimates a maximum “safe” packet rate for each NF instance of an NF service, ii) uses those estimates to determine a representative estimated maximum safe packet rate for the NF service, iii) determines a current packet rate or estimated future packet rate for the NF service, and iv) uses the representative estimated maximum safe packet rate and the current packet rate or estimated future packet rate for the NF service to determine how many NF instances of the NF service should be provisioned. In some embodiments, a provisioning module receives an indication of the USC's determination and provisions or de-provisions NF instances based on that indication. In other embodiments, the USC simply emits an overload/not-overload or overload/underload signal (e.g., a health, control, or monitor signal) which can be used by other nodes of the network.

During steady state operation of an NF instance of an NF service, the estimated maximum safe packet rate for each NF instance of the NF service is likely to provide an acceptably accurate input to the USC for determining a representative estimated maximum safe packet rate for the NF service. However, a sudden change in network traffic characteristics through a given NF instance, or a change in operational settings of that NF instance, can create a rapid state transition in how many packets are processed by that NF instance. During and after such rapid state transitions, the estimated maximum safe packet rate for that NF instance may no longer be an accurate estimate of an actual maximum safe packet rate for that NF instance.

The present disclosure uniquely recognizes the need to address rapid state transitions. Thus, in some embodiments, the USC advantageously self-monitors underlying data associated with one or more NF instances of an NF service to ensure that the representative estimated maximum safe packet rate is likely to provide an accurate estimate of an actual maximum safe packet rate of that NF service. The USC self-monitors such underlying data by repeatedly determining if a distribution of packets processed by an NF instance of the NF service has changed such that one or more measurements of the distribution (e.g., a central tendency and/or a measure of dispersion) are no longer within an acceptable confidence interval. In some embodiments, repeatedly determining if a distribution of packets processed by an NF instance of the NF service has changed involves making a determination on an ongoing basis during operation of the USC, e.g., continuously, periodically, or based on a signal or event trigger. Upon determining that the distribution of packets transmitted to the NF instance has changed, the USC reinitializes (i.e., resets) the distribution. When a distribution is reinitialized, past values of that distribution are discarded and a new distribution is calculated using packets subsequently transmitted to the NF instance. The USC repeatedly monitors the new distribution as additional packets are transmitted to the NF instance to determine if the new distribution is likely to provide an accurate estimate of an actual maximum safe packet rate of the NF service. Upon determining that one or more measurements of the new distribution are within an acceptable confidence interval and other criteria are met, the USC uses the new distribution to provide an estimate of a maximum safe packet rate of the NF service.

The USC provides increased stability of the network by considering all NF instances of an NF service globally rather than on a per-instance basis. Because of this global view, situations where a conventional NF provisioning controller (i.e., one that does not consider all NF instances of an NF service globally or that considers NF instances only on a per-instance basis) might simultaneously dictate that an additional NF instance should be provisioned (because one NF instance is overloaded), and dictate that an NF instance should be de-provisioned (because another NF instance is underloaded), are avoided.

Additionally, the USC advantageously does not require any knowledge about how particular NFs function internally and does not require cooperation from the NFs themselves. Rather, the USC bases scaling directives on a number of metrics which include (1) queue occupancy of network switches which transmit packets to the NF instances, (2) packet loss from the network switches, (3) packet rate, and secondary metrics which will be described. These metrics can typically be determined for any NF, and thus the present embodiments are “universal”.

An NF service in this context is a logical construct that is implemented in the network by one or more NF instances. An NF instance is an application that is provisioned (e.g., installed and/or running as software, as dedicated hardware, or otherwise implemented in or on a computer device or specialized network hardware device) within the network. The performance of an NF service is generally based on a throughput of packets by each NF instance of that NF service. Typically, when an NF instance is provisioned at a compute node, that NF instance is allocated a fixed CPU and memory allocation of the compute node and these allocations determine a maximum throughput of packets by the NF instance. Thus, the number of NF instances of an NF service needed at a given time can be determined almost entirely by the amount of network traffic that each of the NF instances can process as compared to the amount of network traffic designated to be processed by the NF service. This contrasts with typical scaling solutions, such as those implemented for scaling virtual machine (VM) instances, which may scale based on factors such as memory usage or CPU loading of compute nodes.

In the context of NFs, CPU load alone generally cannot be relied upon as an indicator of NF instance loading. This is because many NFs implement a high-frequency polling routine to check for new network data from the network traffic stream. Due to this high-frequency polling rate, a CPU will typically indicate a utilization of 100%. Because CPU utilization may not be an accurate indicator of an NF instance overload/underload condition, the USC uses processed packet rate as a primary metric to determine NF instance provisioning. However, using processed packet rate as a primary metric requires a reliable estimate of an NF's maximum packet processing rate (e.g., how quickly an NF instance is able to receive new packets from a packet sender, such as a switch, and/or how quickly the NF instance can process those packets), which is heavily dependent on workload and thus changes over time. To address this challenge, the USC uses queue occupancy of the network switches and packet loss from the network switches (as well as secondary metrics, when available) to estimate a maximum safe data or packet processing rate for each NF instance. The aggregate of estimated maximum data unit/packet processing rates corresponding to the set of NF instances of the NF service is then used to determine an estimated maximum safe data unit/packet processing rate that is representative of the NF service. A “representative” estimated maximum safe packet/data unit rate, or “representative estimated maximum safe data unit rate” of an NF service is an estimate of a maximum packet/data unit rate that the NF service can process without introducing unacceptable latency or dropping an unacceptable number of packets and is determined using the estimated maximum safe packet/data unit rates of the NF instances of that NF service.

In addition to using an estimated maximum data unit/packet processing rate as a metric to determine NF scaling, the USC uses secondary metrics such as explicit signals from an NF instance, from a compute node, from an NF manager module, or even CPU utilization when these metrics are available and useful (e.g., if the NF does not poll, or polling routines are directed to a particular core of a compute node). However, these secondary metrics are not required, which advantageously results in a solution that is more general than one that requires such metrics.

Based on the representative estimated maximum safe data unit rate for the NF service, and based on a determined or estimated incoming data unit rate designated to be received by the NF service, in some embodiments the USC determines the number of NF instances of an NF service that should be provisioned within the network and communicates that number to a NF provisioning control module. This communication is declarative, in that the USC indicates a total number of NF instances which should be running in the network at a given time. This is in contrast to conventional solutions which generally provide iterative directives such as “add one NF instance” or “remove one NF instance.” A declarative provisioning control signal advantageously prevents scenarios where an NF provisioning controller is directed to add an NF instance, the new NF instance boots slowly, and the NF provisioning controller erroneously provisions additional NF instances in the meantime.

In some embodiments, the USC is implemented as a software component on a compute node in a cluster of compute nodes where the software NFs and other management software run. However, the USC could be provisioned elsewhere (e.g., as a centralized cloud service that manages scaling for multiple, independent software NF clusters). In some embodiments, the USC receives additional information from sources like a compute node's network interface cards (NICs), or a compute node cluster's top of rack (ToR) switch (i.e., a network switch placed at a rack that includes multiple compute nodes).

The estimated maximum safe packet rate (also referred to as an “estimated maximum safe data unit rate”) for an NF instance is an estimate of a maximum packet/data rate that the NF instance should be able to handle without experiencing overload. A “packet” is taken to mean a single unit of data (“data unit”) exchanged between peers of a network. A packet, or data unit, can be a bit, a portion of a bit stream, a byte, a block of data, an encapsulated block of data, a protocol data unit (PDU), or other portion of data. A packet rate is a ratio (e.g., packets per second) of the number of packets transmitted or received by an element of the network to a period of time (e.g., a time window such as 100 μs, 1 ms, 100 ms, 1 s, 10 s, 30 s, etc.) during which they are received. A “batch” is a set or group of one or more packets, bits, bytes, or other units of data.

During each window of time, the USC calculates the estimated maximum safe packet rate for each NF instance of each NF service. The estimated maximum safe packet rate is a different value than a maximum possible rate that the NF instance can handle (e.g., the absolute fastest the NF instance can process packets). The estimated maximum safe packet rate is based on an “overload” distribution of processed batch sizes at an overload-inducing load which is updated for each NF instance over multiple periods of time.

In some embodiments, an exponentially weighted moving average and a variance corresponding to processed batch sizes when the NF instance is experiencing overload is calculated, thereby producing an “overload distribution”. In some embodiments, the estimated maximum safe packet rate of an NF instance is the central tendency of the overload distribution minus a measure of dispersion (e.g., one, two, or three standard deviations, or another value entirely). For example, in some embodiments, the estimated maximum safe packet rate of an NF instance is the mean of the overload distribution minus two standard deviations. In other embodiments, the estimated maximum safe packet rate of an NF instance is the median of the overload distribution minus two standard deviations. A central tendency is a center or typical value (e.g., mean, median, mode, midrange, or other) for a probability distribution. A measure of dispersion is indicative of how samples (of a sample set or population) deviate from the central tendency (e.g., variability, scatter, variance, standard deviation, spread, or other).

In some embodiments, the representative estimated maximum safe packet rate of an NF service is the largest estimated maximum safe packet rate of the NF instances of that NF service. In other embodiments, the representative estimated maximum safe packet rate of an NF service is the median or average estimated maximum safe packet rate of the NF instances of that NF service. In still yet other embodiments, the representative estimated maximum safe packet rate of an NF service is an aggregate of the estimated maximum safe packet rates of the NF instances of that NF service.

In addition to the overload distribution of processed batch sizes at an overload-inducing load, a “full” distribution of processed batch sizes is generated. If it is ever the case that the central tendency of the full distribution is larger than (e.g., has more probability mass to the right of) the central tendency of the overload distribution, this indicates that the overload distribution has become invalid, e.g., out-of-date or “stale.” In accordance with some embodiments, until the overload distribution is updated the full distribution is used to determine the representative estimated maximum safe packet rate. Details of the USC related processes are further described herein.

In addition to, or instead of, determining if the overload distribution has become stale as described above, in some embodiments it is determined whether a distribution associated with an NF instance of an NF service is no longer likely to be a valid estimate of a true distribution of processed batch sizes for that NF instance. Upon determining that a given distribution is no longer valid, the USC triggers a reinitialization of that distribution, after which the distribution is recalculated. While the distribution is being recalculated, the USC monitors if the recalculated distribution is likely to be a valid estimate of a true distribution of processed batch sizes for that NF instance. Upon determining that the recalculated distribution is likely to be a valid estimate of a true distribution of batch sizes for that NF instance, the USC uses the recalculated distribution to determine the estimated maximum safe packet rate, as described above.

FIG. 1A shows an example software network function chain (SFC) 102 of a network 100 which operates on an incoming network traffic stream during a time window designated as T₁. The SFC includes a deep-packet-inspection (DPI) NF service 110, a firewall NF service 111, a network-address-translation (NAT) NF service 112, and an analytics NF service 113. During the time window T₁, the SFC 102 operates on the incoming network traffic stream without any of the NF services 110-113 experiencing an overload condition. This contrasts with FIG. 1B, which shows the same SFC 102 operating on an incoming network traffic stream during a time window designated as T₂. As illustrated by a thicker arrow, the network traffic stream during time window T₂ enters the SFC 102 at a higher packet rate than during the time window T₁ The firewall NF service 111 is not able to process packets of the incoming network traffic stream at the increased data unit/packet rate. As a result, the firewall NF service 111 is overloaded and may introduce latency or even drop packets. Increased latency and/or dropped packets is illustrated by the dotted line exiting the firewall NF service 111.

FIG. 2 illustrates an incoming network traffic stream traversing an example network architecture 200 for universal scaling of software network functions during the time window T₂, in accordance with some embodiments. The network architecture 200 includes an implementation of the logical SFC shown in FIGS. 1A-B. As shown, each of the NF services 110-113 of FIGS. 1A-B is implemented as one or more NF instances distributed across compute nodes 230-232. For instance, the DPI NF service 110 is implemented as DPI NF instance 210, the firewall NF service 111 is implemented as firewall NF instance 211, the NAT NF service 112 is implemented as multiple NAT NF instances 212 a-n, and the analytics NF service 113 is implemented as the analytics NF instance 213. Each of the NF instances 210-213 receives incoming network traffic from, and transmits network traffic to, one or more network switches 240-242. In some embodiments, one or more of the network switches 240-242 is a software switch (e.g., a virtual switch). In other embodiments, one or more of the network switches 240-242 is a hardware switch. As shown, the network switch 240 receives data (e.g., bits, bytes, packets) from the network as incoming network traffic during a time window T₂. The network traffic traverses the NF instances 210-213 via the network switches 240-242 and continues to other network nodes (not shown) after egress from the switch 242.

A universal scaling controller (USC) 215 and an NF provisioning controller 216 operate at compute node 233 and are communicatively coupled with each other to exchange information related to provisioning/de-provisioning NF instances, as well as other system states and/or metrics. In some embodiments, the compute node 233 includes a network switch (similar to the network switches 240-242) that is coupled to the USC 215. In some embodiments, the controllers 215-216 are modules of a network controller module 217 (e.g., an NF management and organization module (MANO)) provisioned at the compute node 233. In other embodiments, the controllers 215-216 are stand-alone modules, are integrated into a single module, or are included in a network controller 218 that is provisioned outside of the compute node 233. The controllers 215-216 are configured to implement all or a portion of the methods described herein for universal scaling of software network functions.

The USC 215 receives metrics 250 a-e from a variety of sources within the network 200. Examples of such metrics include the metrics 250 a from the firewall NF instance 211, the metrics 250 b from the compute node 230, and the metrics 250 c-e from the network switches 240-242. In the example shown, the metrics 250 a originate at the firewall NF instance 211, or a controller module of the firewall NF instance 211, and include an explicit signal, state, value, data structure, flag or another indicator, such as an overload/underload signal. The metrics 250 b originate at the compute node 230 and include a signal, state, value, data structure, flag or another indicator from an operating system module, a hypervisor, a userspace program, a virtual machine, or another module located at the compute node 230. In some embodiments, the metrics 250 b include data indicative of CPU loading measurement and/or memory utilization measurement. The metrics 250 c-e include signals, states, values, data structures, or other indicators transmitted from the network switches 240-242. In some embodiments, the metrics 250 c-e include data indicative of amounts of data (packets, bits, bytes, etc.) received by the respective switch, amounts of data transmitted by the respective switch, queue occupancy indicators, indicators of lost data, or other information. In other embodiments, the USC 215 receives similar metrics, or other metrics related to the operation of the NF instances 210-213, the compute nodes 230-233, or other monitoring components (not shown), from additional sources or a different combination of sources (e.g., any of the NF instances 210-213 or other monitoring components or network probe modules (not shown)).

The USC 215 uses the received metrics 250 a-e to determine a total number of NF instances of an NF service that should be provisioned in the network 200 given the actual, estimated, or anticipated data rate of the incoming network traffic and an estimated maximum safe data unit rate that each NF instance of an NF service can “safely” process without experiencing overload. If the total number of NF instances that should be provisioned for a particular NF service is greater than the total number of NF instances that are currently provisioned for that service, additional NF instances of that NF service are caused to be provisioned by the NF provisioning controller 216 (e.g., to mitigate the effects of overload). Conversely, if the total number of NF instances that should be provisioned for a particular NF service is less than the total number of NF instances that are currently provisioned for that service, NF instances of that NF service are de-provisioned by the NF provisioning controller 216 (e.g., to prevent underload). De-provisioning unnecessary NF instance advantageously conserves system resources of the network 200 and potentially saves money for an operator of the network by reducing software licensing fees. The NF provisioning controller 216 is communicatively coupled to the USC 215, but does not have to reside on the same compute node as the USC 215.

Similar to FIG. 1B, the single instance of the firewall NF instance 211 cannot process data of the incoming network data stream at a sufficient rate and is thus considered to be overloaded. Because the firewall NF instance 211 is overloaded, the network data stream downstream of the firewall NF instance 211 may experience increased latency and/or dropped packets as illustrated by a dotted line.

FIG. 3 illustrates a network 300, which is similar to the network 200, after the USC 215 has indicated to the NF provisioning controller 216 that additional instances of the firewall NF service 111 should be provisioned. As shown, a firewall NF instance 311 a (similar to the firewall NF instance 211) is provisioned at the compute node 230 and firewall instances 311 b-n are provisioned at the compute node 231. As a result of provisioning additional instances of the firewall NF service 111, incoming network traffic during a time window T₃ does not induce an overload state in the firewall NF instances 311 a-n. Thus, the outgoing network traffic will not experience increased latency or dropped packets as was illustrated in FIG. 2.

FIG. 4 provides additional details of the USC 215 of the network 300, in accordance with some embodiments. As shown, the USC 215 generally includes an NF data rate estimation module 434 and an NF provisioning estimation module 435. As described herein, the modules 434-435 are configured to carry out all or a portion of the methods for universal scaling of software network functions, in accordance with some embodiments. As shown, one or both of the modules 434-435 of the USC 215 receive the metrics 250 a-e. By way of example, and continuing in the context of the firewall NF service 111, the metrics 250 a include an explicit signal from the firewall NF instance 311 a (e.g., an overload/underload flag), the metrics 250 b include a measure of CPU utilization from the compute node 230 (e.g., 90%), and the metrics 250 c-e include a received (Rx) data count, a transmitted (Tx) data count, a lost data count, and a measure of queue occupancy from the network switch 240. The USC 215 also receives a measure or estimation of a current or anticipated packet rate (NF service Rx data rate) that is designated to be received by the firewall NF service 111.

FIG. 5 illustrates a portion of a process 500 which is performed all or in part at the USC 215, in accordance with some embodiments. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. The steps of FIG. 5 are described with reference to FIGS. 2-4. At step 502, a batch of data packets is received at the network switch 240. At step 504, one or more packets are transmitted from the network switch 240 to an NF instance of an NF service. For example, the network switch 240 transmits one or more units of data to the firewall NF instance 211 of the firewall NF service 111. At step 506, an estimated maximum safe packet rate is determined for each instance of the NF service, and at step 508 a representative estimated maximum safe packet rate is determined for the NF service using the estimated maximum safe packet rates. In some embodiments, steps 506 and 508 are performed at the NF Data Rate Estimation Module 434. In other embodiments, all or a portion of step 506 is performed at a network switch (e.g., the network switch 240). Details of steps 506 and 508 are discussed with reference to FIGS. 8-12. At step 510, an incoming packet rate for the NF service is determined. In some embodiments, the determined incoming packet rate is equal to a total number of packets designated to be received by the NF service, divided by a duration of time during which those packets will be received by the NF service (e.g., packets per second). For example, a packet or unit of data having a destination address that corresponds to an NF instance of an NF service is “designated” to be received by the NF service. Or, as another example, a data packet or unit of data associated with an NF service header (NSH) which identifies the NF service, or an NF instance of the NF service is “designated” to be received by the NF service. In some embodiments, the total number of packets designated to be received by the NF service is an estimate of a future or subsequent value (e.g., a future anticipated data rate) and is estimated on-line or off-line. In other embodiments, the total number of packets designated to be received by the NF service is, or is representative of, a current value (e.g., the current data rate) during the same window or period of time that the representative safe data rate corresponds to. In still other embodiments, the total number of packets designated to be received by the NF service is, or is representative of, past values received by the NF service (e.g., a previous maximum data rate, an average data rate, or an initial data rate). In still yet other embodiments, the total number of packets designated to be received by the NF service is an initial or default value. In still yet other embodiments, the total number of packets designated to be received by the NF service is a minimum value. In some embodiments, step 510 is performed at the NF Data Rate Estimation Module 434, another module of the USC 215 (not shown), at the network controller module 217, the network controller 218, or at another module of the network 200/300.

Flow continues from step 510 to either or both of step 512 and step 514. At step 512, it is determined how many NF instances of an NF service should be provisioned within the network 200/300 based on the determined incoming packet rate of the NF service and the representative estimated maximum safe data rate for that NF service. Details of step 512 are discussed with reference to FIGS. 14-17. In some embodiments, step 512 is performed at the NF Data Rate Estimation Module 434. At step 514, an NF service overload signal is generated based on the determined incoming packet rate of the NF service and the representative estimated maximum safe data rate for that NF service. In some embodiments, the overload signal is generated if a ratio or quotient of these two values surpasses a threshold value. In some embodiments, the overload signal is transmitted to the network controller 218 or to another node of the network 200/300. In some embodiments, the overload signal contributes to network statistics collected for the network 200/300. In some embodiments, the overload signal alerts an operator of the network 200/300 of the overload state. In some embodiments, all or a portion of the process 500 is repeated at periodic intervals. In other embodiments, all or a portion of the process 500 is performed in response to an event or signal indicating that the process 500 is to be run.

In some embodiments, flow continues from step 512 to step 602 of FIG. 6. FIG. 6 illustrates a portion of a process 600 implemented all or in part by a universal scaling controller for software network functions, in accordance with some embodiments. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results.

At step 602, having determined at step 512 how many NF instances of an NF service should be provisioned in the network 200/300, a difference is calculated between that number and a number of NF instances of the NF service that are currently, or were previously, provisioned in the network. At step 604, it is determined if the difference is greater than zero. If the difference is greater than zero, flow continues to step 606. At step 606, one or more NF instances of the NF service are provisioned within the network 200/300 (e.g., as shown in FIG. 3, where additional instances of the firewall NF instances 311 a-n have been provisioned). If it is determined at step 604 that the difference is not greater than zero, flow continues to step 608. At step 608, it is determined if the difference is less than zero. If the difference is less than zero, flow continues to step 610. At step 610, one or more instances of the NF service are de-provisioned (e.g., removed, halted, uninstalled, or otherwise disabled) from the network 200/300. If it is determined at step 608 that the difference is not less than zero, the portion of process 600 illustrated in FIG. 6 is complete. In some embodiments, all or a portion of the steps of process 600 are performed at the NF provisioning controller 216. In some embodiments, all or a portion of the process 600 is repeated at periodic intervals. In other embodiments, all or a portion of the process 600 is performed in response to an event or signal indicating that the process 600 is to be run.

FIGS. 7A-C provide tables of values/variables/parameters which are discussed with reference to FIGS. 8-17, in accordance with some embodiments. In general, the table shown in FIG. 7A includes parameters of the network 200/300 which cannot be controlled by the USC 215. That is, these values represent a state of the network, or parameter of an NF instance, which is considered to be fixed within at least one window of time. The table shown in FIG. 7B includes state variables of the network 200/300 and the USC 215. The table shown in FIG. 7C includes parameters of the USC 215 which can be configured, in accordance with some embodiments.

FIG. 8 illustrates a portion of a method 800 for universal scaling of software network functions, in accordance with some embodiments. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. Except where otherwise specified, state variables and parameters shown and discussed with reference to FIG. 8 are defined in the tables shown in FIGS. 7A-C.

At step 802, an NF service counter variable i is initialized. Each integer value of the NF service counter variable i corresponds to one of I NF services considered by the USC 215 and is designated as NF_(i). Each of the I NF services is implemented as J NF instances of that NF service, each NF instance designated as NF_(i,j). At step 804, the NF service counter variable i is tested to see if it surpasses the total number I of NF services (e.g., whether each of the I NF services has been processed/considered). If i does not surpass I, flow continues to step 806. At step 806, an NF instance counter variable j is initialized. Each integer value of the NF instance counter variable j corresponds to one of J NF instances of an NF service i. At step 808, the NF instance counter variable j is tested to see if it surpasses the total number J of NF instances of the NF service i. If j does not surpass J, flow continues to step 810.

At step 810 an exponential weighted moving average full_EMAvg_p′_(i,j,t) and variance full_EMVar_p′_(i,j,t) of the number of packets p′_(i,j,t) (or other data unit) dequeued by NF_(i,j) during a time window t is updated according to the following equations:

δ=p′ _(i,j,t)<full_EMAvg_p′ _(i,j,t−1)  (Equation 1)

full_EMAvg_p′ _(i,j,t)=full_EMAvg_p′ _(i,j,t−1)+α×δ  (Equation 2)

full_EMVar_p′ _(i,j,t)=(1<α)×(full_EMVar_p′ _(i,j,t−1)+α×δ²)  (Equation 3)

The variable α is a tunable constant that determines how much weight new values should be given in the calculated exponential average. The time window t has a configurable duration. Other variables are described in the tables shown in FIGS. 7A-C. In some embodiments, the duration of the time window t is dynamically adjusted based on a number of packets b_(t) entering the system during a previous time window t, or based on a number of packets b_(i,t) to be processed by an NF service (NF_(i)) during a previous time window t. In other embodiments, the duration of the time window t is fixed at a particular value and is not dynamically adjusted.

Each of the process blocks 812-818 generally consider a respective state of each NF instance NF_(i,j) and determines an estimated maximum number of packets m′_(i,j,t) (or other data units) that the NF instance NF_(i,j) can safely process during a time window t. At step 812 a, it is determined if the NF instance NF_(i,j), experienced overload during time window t. If NF_(i,j) experienced overload during time window t, flow continues to step 812 b, where m′_(i,j,t+1) (e.g., an updated value of m′_(i,j,t)) is determined using an exponential moving average over_EMAvg_p′_(i,j,t) corresponding to a number of packets (or other data units) dequeued by NF_(i,j) during the time windows that NF_(i,j) was overloaded. Flow then continues to step 814, where the NF instance counter variable j is incremented and a next NF instance of the NF service i is considered by repeating steps 808 through 820 until the NF instance counter variable j surpasses the number J of NF instances of NF service i. Details of block 812 are described with reference to FIG. 9. If it was determined at step 812 a that NF_(i,j) was not overloaded during time window t, flow continues to step 816 a.

At step 816 a, it is determined if NF_(i,j) experienced underload during time window t. If NF_(i,j) was underloaded during time window t, flow continues to step 816 b, where m′_(i,j,t+1) is determined using one of over_EMAvg_p′_(i,j,t), full_EMAvg_p′_(i,j,t), or a previous value of m′_(i,j). Details of block 816 are described with reference to FIG. 11. If it was determined at step 816 a that NF_(i,j) was not underloaded during time window t, flow continues to step 818 a.

At step 818 a, it is determined if the values of over_EMAvg_p′_(i,j,t) and over_EMVAR_p′_(i,j,t) corresponding to NF_(i,j) are invalid, or are likely to be invalid, and as such should not necessarily be relied upon. If over_EMAvg_p′_(i,j,t) and over_EMVAR_p′_(i,j,t) are invalid, flow continues to step 818 b, where m′_(i,j,t+1) is determined using one of full_EMAvg_p′_(i,j,t), or a previous value of m′_(i,j). Details of block 818 are described with reference to FIG. 12. If it was determined at step 818 a that over_EMAvg_p′_(i,j,t) and over_EMVAR_p′_(i,j,t) are not invalid, flow continues to step 820. At step 820, m′_(i,j,t+1) is set to a previous value of m′_(i,j,t) as a default, or fallback, value given that the flow of process 800 passed through each of the decisions of steps 812 a, 816 a, and 818 a without triggering any of the respective sub-steps 812 b, 816 b, or 818 b.

After step 820, flow continues to step 814, and then returns to step 808, both of which were previously described. If at step 808 it is determined that the NF instance counter variable j surpasses the number J of NF instances of NF service i, flow continues to step 822. At step 822, the estimated maximum safe packet rate m′_(i,j,t+1) of each NF instance j of the NF service i (i.e., J values of m′_(i,j,t+1)) is considered or used to determine a representative estimated maximum safe packet rate m′_(i,j,t+1) of the NF service i. In some embodiments, the representative estimated maximum safe packet rate is the largest estimated maximum safe packet rate m′_(i,j,t+1) of the J NF instances of NF service i. In other embodiments, the representative estimated maximum safe packet rate is the median estimated maximum safe packet rate m′_(i,j,t+1) of the J NF instances of NF service i. In still other embodiments, the representative estimated maximum safe packet rate is an average, or other central tendency, of the J estimated maximum safe packet rates m′_(i,j,t+1) of the J NF instances of NF service i.

In some embodiments, if at step 818 a it was determined that one of the J NF instances of NF service i might have an invalid overload distribution, an optional probing step 824 is performed. At optional probing step 824, one of several probing strategies may be performed to induce an overload state in one or more of the NF J instances of NF service i such that the respective overload distribution of the one or more NF instances NF_(i,j) is updated. Optional step 824 is to prevent instances where the estimated maximum safe rate m′_(i,j,t) is too low (m′_(i,j,t)<m_(i,j,t)), which may cause the USC 215 to provision more NF instances of the NF service i than are actually required. However, m′_(i,j,t) will only increase for a given NF instance if that NF instance receives more network traffic than it can handle, pushing that NF instance into overload. Thus, in some embodiments of probing strategies, an overload condition is intentionally induced in an NF instance that was flagged at step 818 a as potentially having invalid data. In some embodiments of the probing step 824, is incremented by a constant amount P each time step 818 a indicates a stale data state for instance m′_(i,j) (e.g., m′_(i,j,t+1)=m′_(i,j,t)+P). This will eventually result in an NF instance of NF service i being de-provisioned, which will result in a proportional increase in packets received by the remaining NF instances of that NF service.

In other embodiments of the probing step 824, a load balancer (e.g., a load balancer that is part of, or is communicatively coupled to the network controller 218 or is distributed across one or more of the compute nodes 230-233) of the network 200/300 is instructed to send more network traffic to a particular NF instance of NF service i than to other NF instances of that NF service. If data continues to be flagged as stale, the load balancer continues to increase the amount of traffic to the particular NF instance until eventually p_(i,j,t) is approximately equal to m_(i,j,t).

In some embodiments, probing step 824 is performed if no NF instance of NF service i is overloaded and any NF instance of NF service i is underloaded. In other embodiments, probing step 824 is performed if no NF instance of NF service i has been overloaded during a configurable number of previous periods of time. In yet other embodiments, probing step 824 is performed if a configuration state or property of NF service i, or one of the NF instances of NF service i, is changed. In still yet other embodiments, probing step 824 is performed if a property of the incoming network traffic stream changes (e.g., a traffic amount, type, or change in pattern). In some embodiments, probing step 824 is suspended or exited if the amount of network traffic to be processed by NF service i is less than or equal to an amount of network traffic used to probe an NF instance of the NF service i. In such embodiments, probing step 824 is resumed if the amount of network traffic to be processed by NF service i is greater than the amount of network traffic used to probe an NF instance of the NF service i. In some embodiments, probing step 824 is suspended or exited if at least one NF instance of the NF service i is overloaded and the overload distribution of that NF instance has settled (e.g., is not changing significantly over time).

The NF service counter variable i is incremented at step 826 after either step 822 or optional step 824, and flow returns to step 804. The next NF service NF_(i) is processed through 804-826. If at step 804, it is determined that the NF service counter variable i surpasses the number of NF services I, all of the NF services have been considered and the portion of process 800 described herein is complete. In some embodiments, all or a portion of the process 800 is repeated at periodic intervals. In other embodiments, all or a portion of the process 800 is performed in response to an event or signal indicating that the process 800 is to be run.

FIG. 9 provides details of block 812 described with reference to FIG. 8, in accordance with some embodiments. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. Step 912 a is an example embodiment of step 812 a of FIG. 8, and step 912 b is an example embodiment of step 812 b of FIG. 8. As shown, at step 912 a, the overload state of NF instance j of NF service i is determined by a series of logical test cases. In some embodiments, NF_(i,j) is considered to be in an overload state during a time window t if the queue occupancy q_(i,j,t) of a network switch (e.g., the network switch 240) is greater than zero at the end of the time window t (e.g., NF_(i,j) was not able to process all of the packets received by the network switch during the time window t), OR a number of packets l_(i,j,t) dropped from the queue of the network switch is greater than zero, OR an explicit overload signal o_(i,j,t) corresponding to NF_(i,j) was received by the USC 215 (e.g., from the firewall NF instance 211), OR the average CPU utilization c_(i,j,t) associated with NF_(i,j) surpassed a CPU utilization threshold level C_(o) AND a flag or state variable c*_(i) indicates that CPU utilization should be considered for NF service i. In some embodiments, rather than determining if the number of packets l_(i,j,t) dropped from the queue of the network switch is greater than zero, l_(i,j,t) represents a percentage of switch transmissions having dropped packets and is compared to a threshold value other than to zero. That is, a software switch typically transmits packets to an NF instance in transmission sets (e.g., blocks, bursts, or sets of packets). The result of transmitting packets as a set is that some of the packets will be accepted by the NF and the some will be dropped. When an NF instance is overloaded, a few packets will be consistently dropped from each transmission set (or even from most transmission sets). In contrast, when an NF instance is not overloaded, a few packets will be dropped from isolated (e.g., not regularly occurring) transmission sets. Thus, in some embodiments, l_(i,j,t) represents a percentage of transmission sets that experienced dropped packets (rather than a total number of dropped packets) and is compared to a threshold value rather than to 0 (e.g., if l_(i,j,t) is greater than 5%, the NF instance is overloaded).

If based on the above criteria NF_(i,j) is considered to have experienced overload during the time window t, flow continues to step 912 b. At step 912 b, over_EMAvg_p′_(i,j,t), over_EMVar_p′_(i,j,t), and the estimated maximum safe packet rate m′_(i,j,t+1) are updated as follows:

δ=p′ _(i,j,t)−over_EMAvg_p′ _(i,j,t−1)  (Equation 4)

over_EMAvg_p′ _(i,j,t)=over_EMAvg_p′ _(i,j,t−1)+α×δ  (Equation 5)

over_EMVar_p′ _(i,j,t)=(1−α)×(over_EMVar_p′ _(i,j,t−1)+α×δ²)  (Equation 6)

m′ _(i,j,t+1)=over_EMAvg_p′ _(i,j,t)−2×√{square root over (over_EMVar_p′ _(i,j,t−1))}  (Equation 7)

As shown in Equation 7, in some embodiments, m′_(i,j,t+1) is equal to a central tendency (e.g., an average) minus a measure of dispersion (e.g., two standard deviations). In other embodiments, m′_(i,j,t+1) is equal to a central tendency other than an average. In yet other embodiments, m′_(i,j,t+1) is equal to a central tendency minus a measure of dispersion that is not based on a standard deviation. After the estimated maximum safe packet rate m′_(i,j,t) is updated, flow continues to step 814 as shown in FIG. 8.

FIG. 10 illustrates how queue occupancy q_(i,j,t) of a network switch (e.g., the network switch 240) is calculated when it cannot otherwise be measured or reported directly, in accordance with some embodiments. During a time window t, queue 1002 of a network switch (e.g., the network switch 240) enqueues p_(i,j) packets and dequeues p′_(i,j) packets which are subsequently transmitted to NF_(i,j) 1011. Dequeued packets are considered to be packets which are processed by NF_(i,j) 1011. When NF_(i,j) 1011 cannot process packets as quickly as the queue 1002 of the switch is receiving packets, NF_(i,j) 1011 is overloaded. That is, the number of packets p_(i,j) enqueued into the queue 1002 during the time window t is greater than the number of packets p′_(i,j) dequeued from the queue 1002 during the time window t. The queue 1002 having finite resources, or adhering to policy, then drops l_(i,j) packets from the queue. Thus, as shown in FIG. 10, queue occupancy q_(i,j,t) at the end of time window t is calculated as the sum of the queue occupancy g_(i,j,t−1) at the end of a previous time window and the number of packets p_(i,j,t) enqueued into the queue during the time window t, minus the number of packets l_(i,j,t) dropped from the queue 1002 during the time window t and minus the number of packets dequeued from the queue 1002 during the time window t.

FIG. 11 provides details of block 816 described with reference to FIG. 8, in accordance with some embodiments. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. Step 1116 a is an example embodiment of step 816 a of FIG. 8, and step 1116 b is an example embodiment of step 816 b of FIG. 8. As shown, at step 1116 a, the underload state of NF instance j of NF service i is determined by a series of logical test cases. In some embodiments, NF_(i,j) is considered to be in an underload state during a time window t if the NF_(i,j) was NOT determined to be overloaded at step 812, AND either an explicit underload signal u_(i,j,t) corresponding to NF_(i,j) was received by the USC 215 OR the average CPU utilization c_(i,j,t) associated with NF_(i,j) is less than a CPU utilization threshold level C_(u) AND a flag or state variable c*_(i) indicates that CPU utilization should be considered for NF service i. If based on the above criteria NF_(i,j) is considered to have experienced underload during the time window t, flow continues to step 1116 b. At step 1116 b, the estimated maximum safe packet rate m′_(i,j,t+1) is determined as follows:

m′ _(i,j,t+1)=MAX(over_EMAvg_p′ _(i,j,t)−2×√{square root over (over_EMVar_p′ _(i,j,t))},full_EMAvg_p′ _(i,j,t) ,m′ _(i,j,t))  (Equation 8)

As illustrated in equation 8, m′_(i,j,t+1) is updated using whichever is larger of a central tendency of the overload distribution minus a measure of dispersion, the central tendency of the full distribution, and the previous estimated maximum safe packet rate. After the estimated maximum safe packet rate m′_(i,j,t+1) is updated, flow continues to step 814 as shown in FIG. 8.

FIG. 12 provides a first example embodiment of block 818 described with reference to FIG. 8. In accordance with some embodiments, step 1218 a is an example embodiment of step 818 a, and step 1218 b is an example embodiment of step 818 b. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. As shown, at step 1218 a, the invalid state of data corresponding to NF instance j of NF service i is determined by a series of logical test cases. The overload distribution corresponding to NF_(i,j) is considered to be invalid (i.e., “stale”) if the full distribution of data packets processed by NF_(i,j) during time window t has a central tendency that is greater than that of the distribution of data packets processed by NF_(i,j) when it is overloaded AND the variance of the full distribution is less than the variance of the overload distribution. That is, full_EMAvg_p′_(i,j,t) is greater than over_EMAvg_p′_(i,j,t) AND full_EMVar_p′_(i,j,t) is less than over_EMVar_p′_(i,j,t). These relationships are illustrated in the simplified plots 1300 and 1310 of FIGS. 13A-B.

In plot 1300, the full distribution 1302 has a central tendency (full_EMAvg_p′_(i,j,t)) that is less than a central tendency (over_EMAvg_p′_(i,j,t)) of the overload distribution 1304. Similarly, a variance (full_EMVar_p′_(i,j,t)) of the full distribution 1302 is greater than a variance (over_EMVar_p′_(i,j,t)) of the overload distribution 1304. Thus, plot 1300 illustrates, as expected, that on average NF_(i,j) processes a greater number of data packets when it receives the data packets at rate that is greater than which it can process them.

In contrast, the simplified plot of 1310 illustrates a stale data condition for data associated with NF_(i,j). As shown, the full distribution 1312 has a central tendency (full_EMAvg_p′_(i,j,t)) that is greater than a central tendency (over_EMAvg_p′_(i,j,t)) of the overload distribution 1314. Similarly, a variance (full_EMVar_p′_(i,j,t)) of the full distribution 1312 is less than a variance (over_EMVar_p′_(i,j,t)) of the overload distribution 1314. Thus, plot 1310 illustrates, unexpectedly, that on average NF_(i,j) processes fewer data packets when it is receiving the data packets at a rate that is greater than which it can process them. This stale data condition indicates that the overload distribution has not been updated recently and is thereby invalid. In some embodiments, steps are taken to force the NF_(i,j) into an overload state to cause the overload distribution to be updated.

If at step 1218 a it was determined that data corresponding to NF_(i,j) is stale, flow continues to step 1218 b. At step 1218 b, the estimated maximum safe packet rate m′_(i,j,t+1) is determined as follows:

m′ _(i,j,t+1)=MAX(full_EMAvg_p′−2×√{square root over (full_EMVar_p′ _(i,j,t−1))},m′ _(i,j,t))  (Equation 9)

As illustrated in equation 9, m′_(i,j,t+1) is updated using whichever is larger of a central tendency of the full distribution minus a measure of dispersion, and the previous estimated maximum safe packet rate. A central tendency is a center or typical value (e.g., mean, median, mode, midrange, or other) for a probability distribution. A measure of dispersion (e.g., variability, scatter, variance, standard deviation, spread, or other) is the extent to which a distribution varies from the central tendency. After the estimated maximum safe packet rate m′_(i,j,t+1) is updated, flow continues to step 814 as shown in FIG. 8.

As was described above, the USC 215 repeatedly estimates a maximum rate at which an NF instance j of the NF service i can process batches of network data. To estimate the maximum rate, a distribution of processed batch sizes at an overload-inducing load is generated for each NF instance j of the NF service i. This “overload distribution” of processed batch sizes is represented by a central tendency, over_EMAvg_p′_(i,j,t) (e.g., a mean), and a measure of dispersion, over_EMVar_p′_(i,j,t) (e.g., a variance or standard deviation). An estimated maximum safe data unit rate is generated using the overload distribution. In some embodiments, the estimated maximum safe data unit rate is the central tendency of the overload distribution minus two standard deviations, e.g., μ−2σ.

During steady state operation of an NF instance j of NF service i, the estimated maximum safe packet rate for each NF j instance of the NF service i is likely to provide an acceptably accurate input to the USC 215 for determining a representative estimated maximum safe packet rate for the NF service. However, a transition in network traffic characteristics through the NF instance j, and/or a parameter change for the NF instance j may cause a rapid change in a true distribution associated with the NF instance j. As a result of such disturbances, the overload distribution may no longer provide an accurate estimate of a maximum rate at which the NF instance j can process batches of network data. For example, FIG. 14 includes an example 1400 of the software network function chain (SFC) 102 of a network 100 that was introduced with reference to FIG. 1. Example overload distributions 1402 a-b represent true (rather than estimated) distributions of batch sizes processed by the DPI NF service 110. Similarly, example overload distributions 1404 a-b represent true (rather than estimated) distributions of batch sizes processed by the Firewall NF service 111.

The distribution 1402 a represents the actual distribution of batch sizes processed by the DPI NF service 110 when the majority of network packets received by the DPI NF service 110 are encrypted. The distribution 1402 b represents the actual distribution of batch sizes processed by the DPI NF service 110 when the majority of network packets received by the DPI NF service 110 are unencrypted. As shown, a state transition in network traffic characteristics from encrypted packets to unencrypted packets results in a state transition that substantially changes both a central tendency (e.g., a location of a center “bulge” or height/amplitude of the distribution) and a measure of dispersion (e.g., a width of the distribution) associated with the DPI NF service 110. Similarly, the distribution 1404 a represents the actual distribution of batch sizes processed by the firewall NF service 111 when the firewall NF service 111 is configured using a certain number of rules (e.g., 100 rules). The distribution 1404 b represents the actual distribution of batch sizes processed by the firewall NF service 111 when the firewall NF service 111 is configured using a significantly greater number of rules (e.g., 1M rules). As shown, a state transition in operating parameters at one or more instances of the firewall NF service 111 substantially changes both a central tendency and a measure of dispersion associated with the firewall NF service 111. As a result, respective representative estimated maximum safe data unit rates for the NF services calculated using the central tendency and a measure of dispersion of the respective overload distributions calculated before the respective state changes (1402 a and 1404 a) may not accurately represent a true maximum safe data unit rate for that NF service.

An example of the effects of a rapid state transition is illustrated in FIG. 15, which includes plots 1500 of data associated with an NF instance j of an NF service i before, during, and after a state transition at region 1505. As described above, the state transition at the region 1505 could be the result of a change in network traffic characteristics or operating parameters of the NF instance j. In the example shown, observations 1502 (represented as a multitude of black dots) of batch sizes (e.g., in packets) processed by the NF instance j are sampled across time. The observations 1502 are used to determine an estimated mean (line 1503) (i.e., a central tendency) and estimated standard deviation 1504 (i.e., a measure of dispersion) of batch sizes processed by the NF instance j during an overload state. A distribution 1506 represents the actual batch sizes processed by the NF instance j when the NF instance j is in an overload state during steady state operation (i.e., a state of the NF instance j has not changed recently). A distribution 1507 represents actual batch sizes processed by the NF instance j during the state transition at the region 1505. A distribution 1508 represents actual batch sizes processed by the NF instance j when the NF instance j is in an overload state after the state transition at the region 1505. A thick arrow pointing from the distribution 1506 to the distribution 1508 indicates the state transition. The vertical dashed arrow pointing to the distribution 1507 indicates an intermediate point of the state transition (e.g., occurring concurrently in time with the region 1505). As shown at the region 1505, a rapid state transition causes a substantial spike in the estimated standard deviation (i.e., σ) 1504. As a result of this spike, an estimated safe data unit rate for the NF instance j, shown here as μ−2σ, may become invalid, in some cases even attaining a negative value.

To advantageously detect such changes in the distributions associated with an NF instance j, in some embodiments, the USC 215 repeatedly monitors one or more measurements of one or more distributions associated with the NF instance j. In some embodiments, repeatedly determining (i.e., monitoring) if a distribution of packets processed by the NF instance j has changed involves making a determination on an ongoing basis during operation of the USC 215, e.g., continuously, periodically, or based on a signal or event trigger. In some embodiments, the rate at which the USC 215 repeatedly monitors a distribution associated with a given NF instance relates to an expectancy of how rapidly a state associated with that NF instance can change. In other embodiments, the rate is based on overall network parameters (e.g., global or fixed), but may be adjusted by a user to meet a desired operating criterion of the USC 215. In some embodiments, the measurements of the distribution of the NF instance j include a central tendency of the distribution and a measure of dispersion of the distribution. In some embodiments, the one or more distributions associated with the NF instance j include the overload distribution and/or the full distribution, both of which are described above. A central tendency of the overload distribution of an NF instance j of an NF service i is represented herein as over_EMAvg_p′_(i,j,t), and a central tendency of the full distribution of an NF instance j of an NF service i is represented herein as full_EMAvg_p′_(i,j,t). A measure of dispersion of the overload distribution of an NF instance j of an NF service i is represented herein as over_EMVar_p′_(i,j,t), and a measure of dispersion of the full distribution of an NF instance j of an NF service i is represented herein as full_EMVar_p′_(i,j,t). Foregoing example processes for detecting a change in the distributions associated with an NF instance j, and subsequently determining if a reinitialized distribution is valid, are presented using the overload distribution. However, such example processes can be used to detect a respective change in either or both of the full distribution and/or the overload distribution associated with an NF instance j.

FIG. 16A includes plots 1600 that provide an example of monitoring underlying data by the USC 215. The plots 1600 include samples 1602-1604 of batch sizes (e.g., in packets) processed by an NF instance j over time (e.g., in an overload state). Samples 1602-1604 have numerical designators for the purpose of this description, but each large black dot in the plots 1600 represents an additional sample. An estimated central tendency (e.g., a mean) and/or a measure of dispersion 1605 is generated using the samples shown. The line 1605 is used for the purpose of this description to represent either an estimated central tendency or a measure of dispersion of a given distribution. A confidence interval 1606 is associated with the estimated central tendency and/or measure of dispersion 1605 and has an upper bound and a lower bound, signified by respective lines above and below the estimated central tendency and/or measure of dispersion 1605. A confidence interval (CI) is a type of estimate computed using statistics of observed data to propose a range of plausible values for an unknown parameter (e.g., the mean). The confidence interval has an associated confidence level that the true parameter is in the proposed range.

If a given sample would cause the estimated central tendency and/or measure of dispersion 1605 to exceed either the upper or lower bound of the confidence interval 1606, the USC 215 determines that the monitored distribution associated with the NF instance j has changed. Some samples that are not within (i.e., are outside of) the confidence interval 1606, such as the sample 1603, may be acceptable because the estimated central tendency and/or measure of dispersion 1605 remains within the upper and lower bounds of the confidence interval 1606. However, at a region 1608, a sample 1604 would cause the central tendency and/or measure of dispersion 1605 to attain a value 1607 that is not within the confidence interval 1606. Because the confidence interval 1606 would be exceeded on its lower boundary, the USC 215 determines that the monitored distribution for the NF instance j has changed. In some embodiments, upon determining by the USC 215 that the monitored distribution for the NF instance j has changed, the USC 215 triggers a reinitialization event for the monitored distribution, whereupon the calculated central tendency (e.g., over_EMAvg_p′_(i,j,t) or full_EMAvg_p′_(i,j,t)) and calculated measure of dispersion (e.g., over_EMVar_p′_(i,j,t) or full_EMVar_p′_(i,j,t)) associated with the NF instance j are reset to an initial value and are subsequently recalculated (i.e., updated) as subsequent packets are processed by the NF instance j. In some embodiments, a probe event that is the same or similar to the probe step 824 described with reference to FIG. 8 is triggered to rapidly recalculate the monitored distribution after a reinitialization event.

In some embodiments, the USC 215 determines that the monitored distribution for the NF instance j has unacceptably changed by comparing only the central tendency of that distribution to the confidence interval associated with the central tendency. In other embodiments, the USC 215 determines that the monitored distribution for the NF instance j has unacceptably changed by comparing only the measure of dispersion of that distribution to the confidence interval associated with the measure of dispersion. In yet other embodiments, the USC 215 determines that the monitored distribution for the NF instance j has unacceptably changed by comparing the central tendency of the monitored distribution to the confidence interval associated with the central tendency, and by comparing the measure of dispersion of the monitored distribution to the confidence interval associated with the measure of dispersion. In still yet other embodiments, the USC 215 determines that the monitored distribution for the NF instance j has unacceptably changed by comparing the central tendency of the monitored distribution to the confidence interval associated with the central tendency, and by comparing the measure of dispersion of the monitored distribution to a maximum threshold value of dispersion.

As shown in the table of FIG. 16B, a first confidence interval threshold value changedAvgConf associated with the central tendency of the monitored distribution, a second confidence interval threshold value changedVarConf associated with the measure of dispersion of the monitored distribution, and/or a maximum threshold value of dispersion varThreshold associated with the measure of dispersion of the monitored distribution can be selected (i.e., “tuned” by a process or by a user) to meet a desired operating criteria of the USC 215. In some embodiments, the desired operating criteria includes an acceptable number of false positives and/or false negatives in detecting an unacceptable change in the monitored distribution of the NF instance j. In some embodiments, values of one or more of changedAvgConf, changedVarConf, and varThreshold are selected using an optimization algorithm. In some embodiments, the optimization algorithm includes a covariance matrix adaptation algorithm performed on randomly generated true distributions associated with an NF service.

After the USC 215 triggers a reinitialization event for the monitored distribution associated with the NF instance j, subsequent data units transmitted from a network switch to the NF instance j are used to update the reinitialized distribution, thereby forming a new distribution. As the reinitialized distribution is updated, the USC 215 repeatedly monitors the reinitialized distribution to determine if the reinitialized distribution is valid, i.e., is likely to provide a valid estimate of a true distribution associated with the NF instance j. In some embodiments, repeatedly determining if a distribution of packets processed by the NF instance j is valid involves making a determination on an ongoing basis during operation of the USC 215, e.g., continuously, periodically, or based on a signal or event trigger. FIG. 17A includes plots 1700 that provide an example of such monitoring. The plots 1700 include samples 1702-1703 of batch sizes (e.g., in packets) processed by the NF instance j over time (e.g., in an overload state). The samples 1702-1703 have numerical designators for the purpose of this description, but each large black dot in the plots 1700 represents a unique sample. The plots 1700 also include a confidence interval 1704 repeatedly calculated using the samples shown. An estimated central tendency (e.g., a mean) and/or measure of dispersion 1706 (e.g., a standard deviation or a variance) is generated using the samples shown. The line 1706 is used for the purpose of this description to represent either of the central tendency or measure of dispersion of the monitored distribution. The confidence interval 1704 of the central tendency and/or measure of dispersion 1706 is repeatedly calculated using the samples shown and has an upper bound and a lower bound, signified by the respective lines above and below the estimated central tendency and/or measure of dispersion 1706. A respective width (i.e., a difference between the upper bound and the lower bound) of the repeatedly calculated confidence interval 1704 is repeatedly compared to a confidence interval width threshold 1710 (e.g., a maximum allowable width, or width ratio). In general, a width of a calculated confidence interval decreases as a sample size increases. Thus, so long as a width of the repeatedly calculated confidence interval 1704 is wider than the confidence interval width threshold 1710, the monitored distribution is considered by the USC 215 to be invalid (i.e., the distribution has not yet settled). When the width of the repeatedly calculated confidence interval 1704 is no longer wider than, or is less than, the confidence interval width threshold 1710, the monitored distribution is considered by the USC 215 to be valid (i.e., the distribution has settled).

As shown in the table of FIG. 17B, a first fixed confidence interval threshold value validAvgConf associated with the central tendency of the monitored reinitialized distribution, a first confidence interval width ratio threshold validAvgRatio associated with the central tendency of the monitored reinitialized distribution, a second fixed confidence interval threshold value validStdConf associated with the measure of dispersion (e.g., a) of the monitored reinitialized distribution, and a second confidence interval width ratio threshold validStdRatio associated with the measure of dispersion of the monitored reinitialized distribution, can be selected (i.e., “tuned” by a user or a process) to meet a desired operating criteria of the USC 215.

The first fixed confidence interval threshold value validAvgConf and the second fixed confidence interval threshold value validStdConf are fixed width threshold values that are compared respectively to the width of the repeatedly calculated confidence interval 1704 for the central tendency or measure of dispersion of the monitored distribution. In comparison, the first confidence interval width ratio threshold validAvgRatio and the second confidence interval width ratio threshold validStdRatio are scaled width threshold values that are compared respectively to the width of the repeatedly calculated confidence interval 1704 for the central tendency or measure of dispersion of the monitored distribution. In some embodiments, validAvgRatio is scaled by a measure of central tendency of the monitored distribution. For example, in such embodiments the width of the repeatedly calculated confidence interval 1704 is compared to a threshold value validAvgCIThreshold that is equal to validAvgRatio multiplied by a current estimate of the mean of the monitored distribution. Similarly, in some embodiments, validStdRatio is scaled by a measure of dispersion of the monitored distribution. In such embodiments, the width of the repeatedly calculated confidence interval 1704 is compared to a threshold value validStdCIThreshold that is equal to validStdRatio multiplied by a current estimate of dispersion of the monitored distribution.

In some embodiments, the desired operating criteria includes an acceptable number of false positives and/or false negatives in detecting a valid monitored distribution of the NF instance j, as well as an optimal settling time of the reinitialized distribution. In some embodiments, values of one or more of validAvgConf, validAvgRatio, validStdConf, and validStdRatio are selected using an optimization algorithm. In some embodiments, the optimization algorithm includes a covariance matrix adaptation algorithm performed on randomly generated true distributions associated with an NF service.

FIG. 18 provides a simplified example process 1800 for determining and taking corrective steps when a monitored distribution of an NF instance j of an NF service i unacceptably changes, in accordance with some embodiments. In the example shown, an overload distribution associated with the NF instance j is the monitored distribution. However, in some embodiments, the example process 1800 is used to also monitor the full distribution associated with the NF instance j. In some embodiments, the process 1800 is an alternative embodiment of block 818 of FIG. 8. In such embodiments, step 1802 of the process 1800 follows after step 816 of the process 800 and step 1808 of the process 1800 precedes step 820 and step 814 of the process 800. In other embodiments, the process 1800 occurs at another point within the process 800. For example, in some embodiments, the process 1800 can precede, follow, or be part of the blocks 810 or 812 of the process 800. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results.

At step 1802, the USC 215 determines if an overload distribution of NF instance j of NF service i is valid, as was described with reference to FIG. 17A, using a test case designated as VALID ( ). Example embodiments of the VALID ( ) test case are shown and described with reference to FIGS. 20A-C. If it is determined at step 1802 that the overload distribution is not valid, flow continues to step 1808. In some embodiments, at step 1808, the estimated maximum safe packet rate m′_(i,j,t+1) is determined using whichever is larger of a central tendency of the full distribution minus a measure of dispersion, and the previous estimated maximum safe packet rate, as was described with reference to step 1218 b of FIG. 12. Flow then continues, in the example shown, to step 814 of FIG. 8. If it is determined at step 1802 that the overload distribution of NF instance j of NF service i is valid, flow of the process 1800 continues to step 1804.

At step 1804, the USC 215 determines if the overload distribution of NF instance j of NF service i has changed beyond an acceptable threshold, as was described with reference to FIG. 16A, using a test case designated as CHANGED ( ). Example embodiments of the CHANGED ( ) test case are shown and described with reference to FIGS. 19A-D. If it is determined at step 1804 that the overload distribution has not changed, flow continues to step 820 of FIG. 8. If it is determined at step 1804 that the overload distribution of NF instance j of NF service i has unacceptably changed, flow continues to step 1806 whereupon the overload distribution is reinitialized (e.g., set to an initial value or set of values), thereby forcing a recalculation of the overload distribution associated with the NF instance j. In some embodiments, step 1806 additionally triggers a probe step that is the same or similar as step 824 of FIG. 8. After reinitialization is triggered, flow of the process 1800 continues to step 1808, which was described above.

In some embodiments, the VALID ( ) test case at step 1802 is only performed after a reinitialization event at step 1806 and continues to be performed until the VALID ( ) test case determines that a recalculated monitored distribution associated with the NF instance j is valid. Upon determining that the recalculated monitored distribution is valid, the VALID ( ) test case at step 1802 is not performed again until a next reinitialization event is triggered at step 1806. In such embodiments, process flow of the process 1800 bypasses step 1802 to perform step 1804 until the CHANGED ( ) test case determines that the monitored distribution associated with the NF instance j has unacceptably changed, thereby triggering the reinitialization event at step 1806.

FIGS. 19A-D provide simplified example embodiments for determining at step 1804 of the process 1800 if a monitored distribution associated with an NF instance j has unacceptably changed. FIG. 19A illustrates a first example embodiment in which only the central tendency of the monitored distribution is used to detect change, FIG. 19B illustrates a second example embodiment in which only the measure of dispersion of the monitored distribution is used to detect change, FIG. 19C illustrates a third embodiment in which both the central tendency and the measure of dispersion are used to detect change, and FIG. 19D illustrates a fourth example embodiment in which the central tendency and a threshold level of the measure of dispersion are used to detect change. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. The monitored distribution of the NF instance j in the examples shown is the overload distribution associated with the NF instance j. However, the example embodiments shown in FIGS. 19A-D could be used to determine if the full distribution associated with the NF instance j has unacceptably changed.

As shown at FIG. 19A, in some embodiments, the CHANGED ( ) test case at step 1804 of the process 1800 involves determining at step 1904 if the central tendency, over_EMAvg_p′_(i,j,t), of the overload distribution of an NF instance j is not within the confidence interval threshold value changedAvgConf at an upper bound changedAvgConf_(H) and at a lower bound changedAvgConf_(L). If it is determined at step 1904 that the central tendency of the overload distribution has surpassed either of the bounds of the confidence interval threshold value changedAvgConf, process flow continues to step 1806 of the process 1800, otherwise, process flow continues to step 820 of the process 800.

In other embodiments, as shown at FIG. 19B, the CHANGED ( ) test case at step 1804 of the process 1800 involves determining, at step 1906, if the measure of dispersion, over_EMVar_p′_(i,j,t), of the overload distribution associated with an NF instance j is not within the confidence interval threshold value changedVarConf at an upper bound changedVarConf_(H) and at a lower bound changedVarConf_(L). If it is determined at step 1906 that the measure of dispersion of the overload distribution has surpassed either of the bounds of the confidence interval threshold value changedVarConf, process flow continues to step 1806 of the process 1800, otherwise, process flow continues to step 820 of the process 800.

In yet other embodiments, the CHANGED ( ) test case at step 1804 of the process 1800 combines steps 1904 and 1906 of FIGS. 19A-B. As shown in FIG. 19C, at step 1908, if the central tendency, over_EMAvg_p′_(i,j,t), of the overload distribution associated with an NF instance j is not within the upper and lower bounds of the confidence interval threshold value changedAvgConf, process flow continues to step 1806 of the process 1800, otherwise, process flow continues to step 1910. At step 1910, if it is determined that the measure of dispersion, over_EMVar_p′_(i,j,t), of the overload distribution associated with the NF instance j is not within the upper and lower bounds of the confidence interval threshold value changedVarConf, process flow continues to step 1806 of the process 1800, otherwise, process flow continues to step 820 of the process 800.

In still yet other embodiments, the CHANGED ( ) test case at step 1804 of the process 1800 combines step 1904 of FIG. 19A with an additional test. As shown in FIG. 19D, at step 1912 if the central tendency, over_EMAvg_p′_(i,j,t), of the overload distribution associated with an NF instance j is not within the upper and lower bounds of the confidence interval threshold value changedAvgConf, process flow continues to step 1914, otherwise, process flow continues to step 820 of the process 800. At step 1914, if it is determined that the measure of dispersion, over_EMVar_p′_(i,j,t), of the overload distribution associated with the NF instance j is less than a threshold value varThreshold (a maximum value, below which false positives and/or false negatives of the CHANGED ( ) test case are minimized), flow continues to step 1806 of the process 1800. Otherwise, process flow continues to step 820 of the process 800.

FIGS. 20A-C provide simplified example embodiments for determining, at step 1802 of the process 1800, if a reinitialized monitored distribution of an NF instance j of an NF service i is valid (i.e., is likely to be an accurate estimate of a true distribution associated with that NF service). FIG. 20A illustrates a first example embodiment in which a repeatedly calculated confidence interval of the central tendency of the reinitialized monitored distribution is used to determine if the distribution is valid, FIG. 20B illustrates a second example embodiment in which a repeatedly calculated confidence interval of the measure of dispersion (e.g., the variance or standard deviation) of the reinitialized monitored distribution is used to determine if the distribution is valid, and FIG. 20C illustrates a third embodiment that combines the embodiments of FIG. 20A and FIG. 20B.

The monitored reinitialized distribution of the NF instance j in the examples shown is the overload distribution associated with the NF instance j. However, the example embodiments shown in FIGS. 20A-C could be used to determine if the full distribution associated with the NF instance j is valid (i.e., has settled) The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different steps, orders of steps, and combinations of steps to achieve similar functions or results.

As shown at FIG. 20A, in some embodiments, the VALID ( ) test case at step 1802 of the process 1800 involves determining at step 2002 if a width of a repeatedly calculated confidence interval of a central tendency, over_EMAvg_p′_(i,j,t), of the overload distribution associated with the NF instance j is less than a confidence interval width threshold validAvgCIThreshold. As described with reference to FIG. 17B, in some embodiments, the value of the interval width threshold validAvgCIThreshold is validAvgRatio multiplied by a scalar (e.g., a current measure of a central tendency of the monitored distribution). In other embodiments, the value of the interval width threshold validAvgCIThreshold is a fixed value, validAvgConf.

A function designated as CI ( ) repeatedly calculates the confidence interval of over_EMAvg_p′_(i,j,t), a width thereof being compared to the confidence interval width threshold validAvgCIThreshold. The width of the calculated confidence interval of over_EMAvg_p′_(i,j,t) is equal to an upper bound of the calculated confidence interval minus a lower bound of the calculated confidence interval. If it is determined at step 2002 that the width of the confidence interval associated with the central tendency of the overload distribution is less than the confidence interval width threshold validAvgCIThreshold, the overload distribution is considered to be valid and process flow continues to step 1804. Otherwise, process flow continues to step 1808.

In other embodiments, as shown at FIG. 20B, the VALID ( ) test case at step 1802 of the process 1800 involves determining at step 2004 if a width of a repeatedly calculated confidence interval of a measure of dispersion, √over_EMVar_p′_(i,j,t), of the overload distribution of an NF instance j is less than a confidence interval width threshold validStdCIThreshold. As described with reference to FIG. 17B, in some embodiments, the value of the interval width threshold validStdCIThreshold is validStdRatio multiplied by a scalar (e.g., a current measure of dispersion of the monitored distribution). In other embodiments, the value of the interval width threshold validStdCIThreshold is a fixed value, validStdConf.

If it is determined at step 2004 that the width of the repeatedly calculated confidence interval associated with the measure of dispersion of the overload distribution is less than the confidence interval width threshold validStdCIThreshold, the overload distribution is considered to be valid and process flow continues to step 1804. Otherwise, process flow continues to step 1808.

In yet other embodiments, the VALID ( ) test case at step 1802 of the process 1800 combines steps 2002 and 2004 of FIGS. 20A-B. As shown in FIG. 20C, at step 2006 it is determined if a width of a repeatedly calculated confidence interval of the central tendency, over_EMAvg_p′_(i,j,t) is less than the confidence interval width threshold validAvgCIThreshold. If it is determined at step 2006 that the width of the repeatedly calculated confidence interval associated with the central tendency of the overload distribution is less than the confidence interval width threshold validAvgCIThreshold, the overload distribution is considered to be valid and process flow continues to step 2008. Otherwise, process flow continues to step 1808 of the process 1800. At step 2008, it is determined if a width of a repeatedly calculated confidence interval of the measure of dispersion, √over_EMVar_p′_(i,j,t), is less than the confidence interval width threshold validStdCIThreshold. If it is determined at step 2008 that the width of the repeatedly calculated confidence interval associated with the measure of dispersion of the overload distribution is less than the confidence interval width threshold validStdCIThreshold, the overload distribution is considered to be valid and process flow continues to step 1804 of the process 1800. Otherwise, process flow continues to step 1808 of the process 1800.

FIG. 21 includes plots 2100 of data associated with an NF instance j of an NF service i before, during, and after a state transition at region 2116 when using the example process 1800, in accordance with some embodiments. In the example shown, observations 2110 of batch sizes (shown as a multitude of black dots) processed by the NF instance j are sampled across time. The observations 2110 are used to determine an estimated mean (line 2112) and an estimated standard deviation 2114 of batch sizes processed by the NF during an overload state. As shown, both the estimated mean 2112 and the estimated standard deviation 2114 advantageously remain stable throughout the state transition at the region 2116, thereby minimizing a response time to rapid state transitions of the NF instance j. The operation shown in the plots 2100 is superior to the operation shown in the plots 1500 of FIG. 15, for which the example process 1800 was not used.

FIGS. 22-25 provide details for alternate embodiments for determining how many NF instances of an NF service should be provisioned within the network based on the total number of packets and the representative estimated maximum safe data rate m′_(i,t). In accordance with some embodiments, all or a portion of the steps of process 2200 of FIG. 22 are included as part of step 512 described with reference to FIG. 5. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. At step 2202, an NF service counter variable i is initialized. Each integer value of the NF service instance counter variable i corresponds to one of I NF services considered (e.g., monitored) by the USC 215 and is designated as NF_(i). At step 2204, the NF service counter variable i is tested to see if it surpasses the total number I of NF services (e.g., whether each of the I NF services has been processed/considered). If i does not surpass I, flow continues to step 2206. At step 2206, the number of packets b_(i,t) (or other units of data) that were designated to be received by NF service NF_(i) during time t is divided by the representative estimated maximum safe number of packets m′_(i,t+1) that the NF service NF_(i) can process during the time window t. In some embodiments, the number of packets b_(i,t) is an estimate of the number of packets (or data units) designated to be received by the NF service i during the current time window. In other embodiments, the number of packets b_(i,t) is an estimate of the number of packets (or data units) designated to be received by the NF service i during a subsequent time window. In still other embodiments, the number of packets b_(i,t) is a direct measure of the number of packets (or data units) designated to be received by the NF service i during the current or subsequent time window. In some embodiments, the number of packets b_(i,t) is an average, median, maximum, minimum, or other aggregate of previous b_(i,t) values. If the quotient is a non-integer, it is rounded up to the next integer value (e.g., using a ceiling function CEIL). The rounded quotient is used as the number of NF instances n_(i,t+1) of the NF service NF_(i) which should be provisioned within the network during time window t+1. Flow continues to step 2208, where the NF service counter variable i is incremented, so that the next NF service NF_(i) is processed through 2204-2206. At step 2204, if it is determined that the NF service counter variable i surpasses the number of NF services I, i.e., all of the NF services have been processed, then the process 2200 is complete. In some embodiments, all or a portion of the process 2200 is repeated at periodic intervals. In other embodiments, all or a portion of the process 2200 is performed in response to an event or signal indicating that the process 2200 is to be run.

In accordance with other embodiments, all or a portion of the steps of process 2300 of FIG. 23 are included as part of step 512 described with reference to FIG. 5. The particular steps, order of steps, and combination of steps are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. At step 2302, an NF service counter variable i is initialized. Each integer value of the NF service instance counter variable i corresponds to one of I NF services considered by the USC 215 and is designated as NF_(i). At step 2304, the NF service counter variable i is tested to see if it surpasses the total number I of NF services (e.g., whether each of the I NF services has been processed/considered). If i does not surpass I, flow continues to step 2306. At step 2306, the number of packets b_(i,t) (or other units of data) that were designated to be received by NF service NF_(i) during time t is divided by the representative estimated maximum safe number of packets m′_(i,t+1) that the NF service NF_(i) can process during the time window t. In some embodiments, the number of packets b_(i,t) is an estimate of the number of packets (or data units) designated to be received by the NF service i during the current time window. In other embodiments, the number of packets b_(i,t) is an estimate of the number of packets (or data units) designated to be received by the NF service i during a subsequent time window. In still other embodiments, the number of packets b_(i,t) is a direct measure of the number of packets (or data units) designated to be received by the NF service i during the current or subsequent time window. In some embodiments, the number of packets b_(i,t) is an average, median, maximum, minimum, or other aggregate of previous b_(i,t) values. If the quotient is a non-integer, it is rounded up to the next integer value (e.g., using a ceiling function). If the rounded quotient is greater than the number of NF instances n_(i,t) of the NF service NF_(i) currently provisioned in the network, flow continues to step 2308. At step 2308, the number of NF instances n_(i,j,t+1) of the NF service NF_(i) is incremented by an integer value x (e.g., 1, 2, 3, or another integer value). Flow continues to step 2310, where the NF service counter variable i is incremented, so that the next NF service NF_(i) is processed.

If at step 2306 the rounded quotient is not greater than the number of NF instances n_(i,t) of the NF service NF_(i) currently provisioned in the network, flow continues to step 2312. At step 2312, if it is determined if the rounded quotient is less than the number of NF instances n_(i,t) of the NF service NF_(i) currently provisioned in the network, flow continues to step 2314. At step 2314, the number of NF instances n_(i,t+1) of the NF service NF_(i) is decremented by an integer value y (e.g., 1, 2, 3, or another integer value). In some embodiments, the integer value y used to decrement n_(i,t) at step 2314 is different than the integer value x used to increment n_(i,t) at step 2308. In other embodiments, the integer value y used to decrement n_(i,t) at step 2314 is the same as the integer value x used to increment n_(i,t) at step 2308. Flow continues to step 2310, where the NF service counter variable i is incremented, so that the next NF service NF_(i) is processed.

If at step 2312 the rounded quotient is not less than the number of NF instances n_(i,t) of the NF service NF_(i) currently provisioned in the network, flow continues to step 2316. At step 2316, the current number of NF instances n_(i,t) of the NF service NF_(i) is used as the updated number of NF instances n_(i,t+1) of the NF service NF_(i). Flow then continues to step 2310, where the NF service counter variable i is incremented, so that the next NF service NF_(i) is processed. At step 2304, if it is determined that the NF service counter variable i surpasses the number of NF services I, i.e., all of the NF services have been processed, then the process 2300 is complete. In some embodiments, all or a portion of the process 2300 is repeated at periodic intervals. In other embodiments, all or a portion of the process 2300 is performed in response to an event or signal indicating that the process 2300 is to be run.

FIG. 24 includes a table of state variables and parameters described with reference to FIG. 25. The particular steps, order of steps, and combination of steps of FIG. 25 are shown for illustrative and explanatory purposes only. Other embodiments can implement different particular steps, orders of steps, and combinations of steps to achieve similar functions or results. In accordance with other embodiments, all or a portion of the steps of process 2500 of FIG. 25 are included as part of step 512 described with reference to FIG. 5. At step 2502, an NF service counter variable i is initialized. Each integer value of the NF service instance counter variable i corresponds to one of I NF services considered by the USC 215 and is designated as NF_(i). At step 2504, the NF service counter variable i is tested to see if it surpasses the total number I of NF services (e.g., whether each of the I NF services has been processed/considered). If i does not surpass I, flow continues to step 2506. At step 2506, a proportional-integral-derivative (PID) control loop is updated according to the following equations:

$\begin{matrix} {\mspace{79mu}{e_{i,t} = {{CEIL}\left( {\frac{b_{i,t}}{m_{i,{t + 1}}^{\prime}} - n_{i,t}} \right)}}} & \left( {{Equation}\mspace{14mu} 10} \right) \\ {{n\_ adj} = {{K_{p} \times \left\lbrack e_{i,t} \right\rbrack} + {K_{i} \times \left\lbrack {\sum_{t}e_{i,t}} \right\rbrack} + {K_{d} \times \left\lbrack {e_{i,t} - e_{i,{t - 1}}} \right\rbrack}}} & \left( {{Equation}\mspace{14mu} 11} \right) \\ {\mspace{79mu}{n_{i,{t + 1}} = {n_{i,t} + {n\_ adj}}}} & \left( {{Equation}\mspace{14mu} 12} \right) \end{matrix}$

The response of the PID loop at step 2506 is configured using an adjustable proportional gain variable K_(p), an adjustable integral gain variable K_(i), and an adjustable derivative gain variable K_(d). Tuning the response of a PID loop using such gain variables is understood by one of skill in the art. The output of the PID loop at each iteration is a delta n_adj of NF instances of NF service i that should be added to, or subtracted from, the current number of NF instances n_(i,t) of the NF service. In some embodiments, the number of packets b_(i,t) is an estimate of the number of packets (or data units) designated to be received by the NF service i during the current time window. In other embodiments, the number of packets b_(i,t) is an estimate of the number of packets (or data units) designated to be received by the NF service i during a subsequent time window. In still other embodiments, the number of packets b_(i,t) is a direct measure of the number of packets (or data units) designated to be received by the NF service i during the current or subsequent time window. In some embodiments, the number of packets b_(i,t) is an average, median, maximum, minimum, or other aggregate of previous b_(i,t) values. Flow continues to step 2508, where the NF service counter variable i is incremented, so that the next NF service NF_(i) is processed similarly. At step 2504, if it is determined that the NF service counter variable i surpasses the number of NF services I, i.e., all of the NF services have been processed, then the process 2500 is complete. In some embodiments, all or a portion of the process 2500 is repeated at periodic intervals. In other embodiments, all or a portion of the process 2500 is performed in response to an event or signal indicating that the process 2500 is to be run.

In some embodiments, after each of the processes 2200, 2300, or 2500 has completed, if n_(i,t+1) is greater than the number of NF instances n_(i,t) of the NF service NF_(i) currently provisioned in the network, additional NF instances are provisioned. If n_(i,t+1) is less than the number of NF instances n_(i,t) of the NF service NF_(i) currently provisioned in the network, superfluous NF instances are de-provisioned. In some embodiments, additional NF instances are provisioned, or superfluous NF instances are de-provisioned for each NF service after all I NF services have been processed by the USC 215. In other embodiments, additional NF instances are provisioned, or superfluous NF instances are de-provisioned after each NF service is processed by the USC 215.

FIG. 26 illustrates an example compute node 2600 of the network 300, in accordance with some embodiments. In some embodiments, one or more of the compute nodes 230-233 are the same or similar to the compute node 2600. The compute node 2600 generally includes one or more CPUs 2602, a memory module 2604 (e.g., RAM), a non-volatile data storage module 2606 (e.g., a hard drive or array of hard drives), a network I/O module 2608 (e.g., a network interface card (NIC) and/or a top-of-rack interface), and other modules 2610 such as user I/O, wireless communication modules, optical communication modules, system diagnostic or monitoring modules, or other modules. In some embodiments, the compute node 2600 is configured to perform all or a portion of the processes 500, 600, 800, 2200, 2300, and 2500. In some embodiments, the USC 215 is implemented at the compute node 2600 or at a compute node that is similar to the compute node 2600.

Reference has been made in detail to embodiments of the disclosed invention, one or more examples of which have been illustrated in the accompanying figures. Each example has been provided by way of explanation of the present technology, not as a limitation of the present technology. In fact, while the specification has been described in detail with respect to specific embodiments of the invention, it will be appreciated that those skilled in the art, upon attaining an understanding of the foregoing, may readily conceive of alterations to, variations of, and equivalents to these embodiments. For instance, features illustrated or described as part of one embodiment may be used with another embodiment to yield a still further embodiment. Thus, it is intended that the present subject matter covers all such modifications and variations within the scope of the appended claims and their equivalents. These and other modifications and variations to the present invention may be practiced by those of ordinary skill in the art, without departing from the scope of the present invention, which is more particularly set forth in the appended claims. Furthermore, those of ordinary skill in the art will appreciate that the foregoing description is by way of example only, and is not intended to limit the invention. 

What is claimed is:
 1. A method comprising: receiving, at a switch of a network, one or more batches of data units, the network further comprising i) one or more network function (NF) instances of an NF service, and ii) a scaling controller; transmitting, from the switch to an NF instance of the one or more NF instances, a first plurality of data units of the one or more batches of data units; updating, using the first plurality of data units, a first distribution associated with the NF instance, the first distribution corresponding to how many data units of the first plurality of data units were transmitted from the switch to the NF instance during a first time period; determining whether the updated first distribution has changed such that a first measure of the first distribution is outside of a first confidence interval threshold; reinitializing the first distribution upon determining that the first distribution has changed; transmitting, from the switch to the NF instance during a second time period, a second plurality of data units of the one or more batches of data units; and updating, using the second plurality of data units, the reinitialized first distribution to produce a second distribution associated with the NF instance.
 2. The method of claim 1, wherein: updating the first distribution associated with the NF instance further comprises determining that the NF instance was in an overload state during the first time period; and updating the reinitialized first distribution associated with the NF instance further comprises determining that the NF instance was in the overload state during the second time period.
 3. The method of claim 1, wherein: the first measure of the first distribution is a central tendency; and the first confidence interval threshold is a confidence interval of the central tendency of the first distribution.
 4. The method of claim 1, wherein: the first measure of the first distribution is a measure of dispersion; and the first confidence interval threshold is a confidence interval of the measure of dispersion.
 5. The method of claim 1, wherein: the first measure of the first distribution is a central tendency; the first confidence interval threshold is a confidence interval of the central tendency of the first distribution; determining that the updated first distribution has changed further comprises determining that a second measure of the first distribution is outside of a second confidence interval threshold; the second measure of the first distribution is a measure of dispersion of the first distribution; and the second confidence interval threshold is a confidence interval of the measure of dispersion of the first distribution.
 6. The method of claim 1, wherein: the first measure of the first distribution is a central tendency; the first confidence interval threshold is a confidence interval of the central tendency of the first distribution; determining that the updated first distribution has changed further comprises determining that a second measure of the first distribution is less than a threshold value; the second measure of the first distribution is a measure of dispersion of the first distribution; and the threshold value is maximum measure of dispersion of the first distribution.
 7. The method of claim 1, further comprising: transmitting, from the switch to the NF instance during a third time period, a third plurality of data units of the one or more batches of data units; updating, using the third plurality of data units, the second distribution associated with the NF instance; calculating a confidence interval using the updated second distribution; and determining that the updated second distribution is valid such that a width of the calculated confidence interval is less than a second confidence interval threshold.
 8. The method of claim 7, wherein: the first measure of the updated second distribution is a central tendency; and the second confidence interval threshold is a maximum confidence interval width threshold.
 9. The method of claim 7, wherein: the first measure of the updated second distribution is a measure of dispersion; and the second confidence interval threshold is a maximum confidence interval width threshold.
 10. The method of claim 7, wherein: the first measure of the updated second distribution is a central tendency of the updated second distribution; the second confidence interval threshold is a first maximum confidence interval width threshold; and determining that the updated second distribution is valid further comprises: calculating another confidence interval using a measure of dispersion of the updated second distribution; and determining that a width of the other calculated confidence interval is less than a second maximum confidence interval width threshold.
 11. The method of claim 7, further comprising: upon determining that the updated second distribution is valid, determining an estimated maximum safe data unit rate for the NF instance using a measure of central tendency of the updated second distribution.
 12. The method of claim 11, wherein determining the estimated maximum safe data unit rate for the NF instance comprises: using the measure of central tendency of the updated second distribution minus a measure of dispersion of the updated second distribution as the estimated maximum safe data unit rate.
 13. The method of claim 11, further comprising: determining a representative estimated maximum safe data unit rate for the NF service using the estimated maximum safe data unit rate; determining an incoming data unit rate of the NF service; and determining, at the scaling controller, a total number of NF instances of the NF service to be provisioned in the network using the determined incoming data unit rate of the NF service and the representative estimated maximum safe data unit rate of the NF service.
 14. The method of claim 7, further comprising: upon determining that the updated second distribution is valid, determining an estimated maximum safe data unit rate for the NF instance using the updated second distribution; determining a representative estimated maximum safe data unit rate for the NF service using the estimated maximum safe data unit rate; estimating, at the scaling controller of the network, a total number of data units designated to be received by the NF service during a third period of time; and determining, at the scaling controller, a total number of NF instances of the NF service to be provisioned in the network using the estimated total number of data units designated to be received by the NF service and the representative estimated maximum safe data unit rate of the NF service.
 15. The method of claim 7, further comprising: upon determining that the updated second distribution is valid, determining an estimated maximum safe data unit rate for the NF instance using the updated second distribution; determining a representative estimated maximum safe data unit rate for the NF service using the estimated maximum safe data unit rate; estimating, at the scaling controller of the network, a total number of data units designated to be received by the NF service during a third period of time; and generating, at the scaling controller, an overload signal based on the estimated total number of data units designated to be received by the NF service and the representative estimated maximum safe data unit rate of the NF service.
 16. The method of claim 7, further comprising: upon determining that the updated second distribution is valid, determining an estimated maximum safe data unit rate for the NF instance using the updated second distribution; determining a representative estimated maximum safe data unit rate for the NF service using the estimated maximum safe data unit rate; determining an incoming data unit rate of the NF service; and determining, at the scaling controller, a total number of NF instances of the NF service to be provisioned in the network using the determined incoming data unit rate of the NF service and the representative estimated maximum safe data unit rate of the NF service.
 17. The method of claim 16, wherein determining the estimated maximum safe data unit rate for the NF instance comprises: using a measure of central tendency of the updated second distribution minus a measure of dispersion of the updated second distribution as the estimated maximum safe data unit rate.
 18. The method of claim 17, wherein determining the representative estimated maximum safe data unit rate comprises: determining respective estimated maximum safe data unit rates for one or more additional NF instances of the NF service; and using a largest value of the respective estimated maximum safe data unit rates as the representative estimated maximum safe data unit rate.
 19. The method of claim 17, wherein determining the representative estimated maximum safe data unit rate comprises: determining respective estimated maximum safe data unit rates for one or more additional NF instances of the NF service; and using a measure of central tendency of the respective estimated maximum safe data unit rates as the representative estimated maximum safe data unit rate.
 20. The method of claim 1, wherein: the second distribution is an overload distribution associated with the NF instance, or a full distribution associated with the NF instance. 